sys-auth/google-oslogin: Install soname symlinks and general tidy up

The missing soname symlinks were causing ldconfig to create them later,
breaking the sandbox. The upstream Makefile installs them for you, so
let's use it even though it needs some taming.

This adds the systemd timer to refresh the NSS cache. This seems
important, and I can't see any reason to omit it.

This also moves the binaries from /usr/libexec to /usr/bin. Upstream has
always put them in /usr/bin, and putting them elsewhere requires tweaks.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>

sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/Manifest

@@ -1 +1 @@
-DIST 20200910.00.tar.gz 42599 BLAKE2B 6c2917f03277834e54050e5bf94943dc311c70e3150247b91cee5835b09fb197686788373ab8cdff4f3f8e4baa85dd515bcb22a99530475bd7c3991d1d272ece SHA512 575813becdd7046b9c5813f33aad440737df6d0fa1d9345f8f4340fda4bc348b27860231ed163196cf06609fd3311fe2bbf45486c260c45a0a38795a95f09834
+DIST guest-oslogin-20200910.00.tar.gz 42599 BLAKE2B 6c2917f03277834e54050e5bf94943dc311c70e3150247b91cee5835b09fb197686788373ab8cdff4f3f8e4baa85dd515bcb22a99530475bd7c3991d1d272ece SHA512 575813becdd7046b9c5813f33aad440737df6d0fa1d9345f8f4340fda4bc348b27860231ed163196cf06609fd3311fe2bbf45486c260c45a0a38795a95f09834

sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/60-flatcar-google-oslogin.conf

@@ -1,3 +1,3 @@
 # Needed for google oslogin
-AuthorizedKeysCommand /usr/libexec/google_authorized_keys
+AuthorizedKeysCommand /usr/bin/google_authorized_keys
 AuthorizedKeysCommandUser root

sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/google-oslogin-pkg-config.patch

@@ -0,0 +1,20 @@
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -1,14 +1,14 @@
+ SHELL = /bin/sh
+ TOPDIR = $(realpath ..)
+ 
+-CPPFLAGS = -Iinclude -I/usr/include/json-c
++CPPFLAGS := -Iinclude $(shell $(PKG_CONFIG) --cflags libcurl json-c pam)
+ FLAGS = -fPIC -Wall -g
+ CFLAGS = $(FLAGS) -Wstrict-prototypes
+ CXXFLAGS = $(FLAGS)
+ 
+ LDFLAGS = -shared -Wl,-soname,$(SONAME)
+-LDLIBS = -lcurl -ljson-c
+-PAMLIBS = -lpam $(LDLIBS)
++LDLIBS := $(shell $(PKG_CONFIG) --libs libcurl json-c)
++PAMLIBS := $(shell $(PKG_CONFIG) --libs pam) $(LDLIBS)
+ 
+ # Paths which should be overrideable.
+ 

sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/google-oslogin-var-lib.patch

@@ -3,15 +3,8 @@ From: Andrew Jeddeloh <andrew.jeddeloh@coreos.com>
 Date: Fri, 6 Jul 2018 15:54:40 -0700
 Subject: [PATCH] pam_module: use /var/lib/ instead of /var
 
----
- guest-oslogin/src/pam/pam_oslogin_admin.cc | 2 +-
- guest-oslogin/src/pam/pam_oslogin_login.cc | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/guest-oslogin/src/pam/pam_oslogin_admin.cc b/guest-oslogin/src/pam/pam_oslogin_admin.cc
-index 04d0808..376916e 100644
---- a/guest-oslogin/src/pam/pam_oslogin_admin.cc
-+++ b/guest-oslogin/src/pam/pam_oslogin_admin.cc
+--- a/src/pam/pam_oslogin_admin.cc
++++ b/src/pam/pam_oslogin_admin.cc
 @@ -36,7 +36,7 @@ using oslogin_utils::ParseJsonToEmail;
  using oslogin_utils::UrlEncode;
  using oslogin_utils::kMetadataServerUrl;
@@ -21,10 +14,8 @@ index 04d0808..376916e 100644
  
  extern "C" {
  
-diff --git a/guest-oslogin/src/pam/pam_oslogin_login.cc b/guest-oslogin/src/pam/pam_oslogin_login.cc
-index 9e708f4..428600b 100644
---- a/guest-oslogin/src/pam/pam_oslogin_login.cc
-+++ b/guest-oslogin/src/pam/pam_oslogin_login.cc
+--- a/src/pam/pam_oslogin_login.cc
++++ b/src/pam/pam_oslogin_login.cc
 @@ -36,7 +36,7 @@ using oslogin_utils::ParseJsonToEmail;
  using oslogin_utils::UrlEncode;
  using oslogin_utils::kMetadataServerUrl;

sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/files/sshd_config

@@ -9,7 +9,7 @@ UsePAM yes
 PrintLastLog no # handled by PAM
 PrintMotd no # handled by PAM
 # Needed for google oslogin
-AuthorizedKeysCommand /usr/libexec/google_authorized_keys
+AuthorizedKeysCommand /usr/bin/google_authorized_keys
 AuthorizedKeysCommandUser root
 # Temporarily accept ssh-rsa algorithm for openssh >= 8.8,
 # until most ssh clients could deprecate ssh-rsa.

sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r3.ebuild

@@ -1,57 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-DESCRIPTION="Components to support Google Cloud OS Login. This contains bits that belong in USR"
-HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-oslogin"
-SRC_URI="https://github.com/GoogleCloudPlatform/guest-oslogin/archive/${PV}.tar.gz"
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS="amd64"
-IUSE=""
-
-inherit pam toolchain-funcs
-
-DEPEND="
-	net-misc/curl[ssl]
-	dev-libs/json-c
-	sys-libs/pam
-"
-
-RDEPEND="${DEPEND}"
-
-S=${WORKDIR}/guest-oslogin-${PV}/
-
-src_prepare() {
-	eapply -p2 "$FILESDIR/0001-pam_module-use-var-lib-instead-of-var.patch"
-	default
-}
-
-src_compile() {
-	emake CC="$(tc-getCC)" CXX="$(tc-getCXX)" \
-            VERSION=${PV} \
-            JSON_INCLUDE_PATH="${SYSROOT%/}/usr/include/json-c"
-}
-
-src_install() {
-	dolib.so src/libnss_cache_oslogin-${PV}.so
-	dolib.so src/libnss_oslogin-${PV}.so
-
-	exeinto /usr/libexec
-	doexe src/google_authorized_keys
-	doexe src/google_oslogin_nss_cache
-
-	dopammod src/pam_oslogin_admin.so
-	dopammod src/pam_oslogin_login.so
-
-	# config files the base Ignition config will create links to
-	insinto /usr/share/google-oslogin
-	doins "${FILESDIR}/sshd_config"
-	doins "${FILESDIR}/60-flatcar-google-oslogin.conf"
-	doins "${FILESDIR}/nsswitch.conf"
-	doins "${FILESDIR}/pam_sshd"
-	doins "${FILESDIR}/oslogin-sudoers"
-	doins "${FILESDIR}/group.conf"
-}

sdk_container/src/third_party/coreos-overlay/sys-auth/google-oslogin/google-oslogin-20200910.00-r4.ebuild

@@ -0,0 +1,81 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+MY_P="guest-oslogin-${PV}"
+DESCRIPTION="Components to support Google Cloud OS Login. This contains bits that belong in USR"
+HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-oslogin"
+SRC_URI="https://github.com/GoogleCloudPlatform/guest-oslogin/archive/${PV}.tar.gz -> ${MY_P}.tar.gz"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="amd64"
+IUSE="systemd"
+
+inherit pam systemd toolchain-funcs
+
+DEPEND="
+	net-misc/curl[ssl]
+	dev-libs/json-c:=
+	sys-libs/pam
+"
+
+RDEPEND="
+	${DEPEND}
+	systemd? ( sys-apps/systemd )
+	!systemd? ( virtual/cron )
+"
+
+BDEPEND="
+	virtual/pkgconfig
+"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-var-lib.patch
+	"${FILESDIR}"/${PN}-pkg-config.patch
+)
+
+my_emake() {
+	emake \
+		VERSION="${PV}" \
+		PKG_CONFIG="$(tc-getPKG_CONFIG)" \
+		"${@}"
+}
+
+src_compile() {
+	my_emake \
+		CC="$(tc-getCC)" \
+		CXX="$(tc-getCXX)"
+}
+
+src_install() {
+	my_emake \
+		DESTDIR="${D}" \
+		PREFIX="${EPREFIX}/usr" \
+		BINDIR="\$(PREFIX)/bin" \
+		CRONDIR="${EPREFIX}/etc/cron.d" \
+		LIBDIR="\$(PREFIX)/$(get_libdir)" \
+		MANDIR="\$(PREFIX)/share/man" \
+		PAMDIR="$(getpam_mod_dir)" \
+		PRESETDIR="$(systemd_get_systempresetdir)" \
+		SYSTEMDDIR="$(systemd_get_systemunitdir)" \
+		INSTALL_CRON=$(usex !systemd 1 '') \
+		install
+
+	# Flatcar doesn't need this script.
+	rm "${ED}"/usr/bin/google_oslogin_control || die
+
+	# man pages need fixing up for Gentoo QA but Flatcar drops them anyway.
+	rm -r "${ED}"/usr/share/man || die
+
+	# config files the base Ignition config will create links to
+	insinto /usr/share/google-oslogin
+	doins "${FILESDIR}/sshd_config"
+	doins "${FILESDIR}/60-flatcar-google-oslogin.conf"
+	doins "${FILESDIR}/nsswitch.conf"
+	doins "${FILESDIR}/pam_sshd"
+	doins "${FILESDIR}/oslogin-sudoers"
+	doins "${FILESDIR}/group.conf"
+}